Convenience rather than security
When asked why Google is not making it mandatory for all Gmail accounts, software engineer Grzegorz Milka said in an interview with The Register: “The answer is usability. It’s about how many people we would drive out if we forced them to use additional security.”
The result is quite alarming: only a fraction of users have added the extra layer of security to their accounts. But Gmail account owners aren’t the only ones leaving their digital lives unprotected, it’s an issue for countless services. As you already know, passwords are the first line of defense against unauthorized access to user data. Given the cyber security risks that we are exposed to and the frequency of cyber attacks, you would expect more people to at least apply the two-step verification or enable two-factor authentication on their accounts alongside the use of a password manager.
The reality, as always, looks different: 65% of U.S. internet users say that they keep track of their passwords by memorizing them and around half keep the password to at least some of their online accounts written down on a piece of paper, according to a Pew Research study.
Only a quarter of adults keep track of their passwords using a digital note or document, with just 18% saying that they save them using the built-in password-saving features available in most modern browsers. A measly 12% have used a password manager, however, while and only 3% regularly rely on password management software to secure their digital lives. These alarming numbers are from as recent as 2017.
The same study found that more than half (52%) of adult internet users have used two-factor authentication, but the problem is that 39% indicated that most of their passwords are the same or very similar to other passwords used for different accounts.
2FA vs 2SV
Among the best practices recommended by cybersecurity experts are enabling two-factor authentication or two-step verification. We recommend enabling the former if possible, because the latter is less secure. Unfortunately, the media doesn’t make too much effort to distinguish between them so the phrases are often used interchangeably, even though they are not exactly the same.
You should read more about the difference between 2FA and two-step verification, but in short, the latter is less secure as it uses a cellular network for sending the one-time password. The problem with that is that cellular networks suffer from a serious security flaw affecting its SS7 (Signaling System 7) protocol, which as a result allows hackers to siphon off data. With that data in their hands, hackers can control both security layers and so breaking into the online account just becomes is a matter of when, not how.
Unfortunately, even Gmail is vulnerable to such attacks if the two-step verification involving a text message sent through the carrier network is included.
Since the service is quite new, its success is still unknown. What is known, though, is that Google Prompt joins several other security measures that the company is already providing to its users: Google Authenticator, 2SV, backup codes, and Security Keys.
As always, be sure to use a password manager to protect your Gmail with cryptographically secure passwords and learn about how often you should change them.
István F.
Adam B.
User feedback